Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/42151?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/42151?format=api", "purl": "pkg:pypi/jupyterhub@4.0.0b1", "type": "pypi", "namespace": "", "name": "jupyterhub", "version": "4.0.0b1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.4.5", "latest_non_vulnerable_version": "5.4.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74542?format=api", "vulnerability_id": "VCID-5d2g-z6vz-gkb8", "summary": "JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33709", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0257", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33709" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jupyterhub/jupyterhub" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub/releases/tag/5.4.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T17:33:39Z/" } ], "url": "https://github.com/jupyterhub/jupyterhub/releases/tag/5.4.4" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T17:33:39Z/" } ], "url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33709", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33709" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132715", "reference_id": "1132715", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132715" }, { "reference_url": "https://github.com/advisories/GHSA-3vff-hjqv-m7h8", "reference_id": "GHSA-3vff-hjqv-m7h8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3vff-hjqv-m7h8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111504?format=api", "purl": "pkg:pypi/jupyterhub@5.4.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-yh4a-fw6z-tyfc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@5.4.4" } ], "aliases": [ "CVE-2026-33709", "GHSA-3vff-hjqv-m7h8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5d2g-z6vz-gkb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47360?format=api", "vulnerability_id": "VCID-g6zf-6yqx-r7gx", "summary": "Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing\nAffected configurations:\n\n- Single-origin JupyterHub deployments\n- JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server.\n\nBy tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve the following:\n\n- Full access to JupyterHub API and user's single-user server, e.g.\n- Create and exfiltrate an API Token\n- Exfiltrate all files hosted on the user's single-user server: notebooks, images, etc.\n- Install malicious extensions. They can be used as a backdoor to silently regain access to victim's session anytime.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28233", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29065", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28233" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jupyterhub/jupyterhub" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-15T14:36:04Z/" } ], "url": "https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070388", "reference_id": "1070388", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070388" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28233", "reference_id": "CVE-2024-28233", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28233" }, { "reference_url": "https://github.com/advisories/GHSA-7r3h-4ph8-w38g", "reference_id": "GHSA-7r3h-4ph8-w38g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7r3h-4ph8-w38g" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g", "reference_id": "GHSA-7r3h-4ph8-w38g", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-15T14:36:04Z/" } ], "url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42156?format=api", "purl": "pkg:pypi/jupyterhub@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5d2g-z6vz-gkb8" }, { "vulnerability": "VCID-jruk-8qvr-d3hh" }, { "vulnerability": "VCID-yh4a-fw6z-tyfc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@4.1.0" } ], "aliases": [ "CVE-2024-28233", "GHSA-7r3h-4ph8-w38g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g6zf-6yqx-r7gx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36851?format=api", "vulnerability_id": "VCID-jruk-8qvr-d3hh", "summary": "JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users.\nIn effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41942", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0013", "scoring_system": "epss", "scoring_elements": "0.32069", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41942" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jupyterhub/jupyterhub" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:16:29Z/" } ], "url": "https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:16:29Z/" } ], "url": "https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba" }, { "reference_url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:16:29Z/" } ], "url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2024-200.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2024-200.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078344", "reference_id": "1078344", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078344" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41942", "reference_id": "CVE-2024-41942", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41942" }, { "reference_url": "https://github.com/advisories/GHSA-9x4q-3gxw-849f", "reference_id": "GHSA-9x4q-3gxw-849f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9x4q-3gxw-849f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42162?format=api", "purl": "pkg:pypi/jupyterhub@4.1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5d2g-z6vz-gkb8" }, { "vulnerability": "VCID-yh4a-fw6z-tyfc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@4.1.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/82376?format=api", "purl": "pkg:pypi/jupyterhub@5.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5d2g-z6vz-gkb8" }, { "vulnerability": "VCID-yh4a-fw6z-tyfc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@5.1.0" } ], "aliases": [ "BIT-jupyterhub-2024-41942", "CVE-2024-41942", "GHSA-9x4q-3gxw-849f", "PYSEC-2024-200" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jruk-8qvr-d3hh" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterhub@4.0.0b1" }